Free ABM Acceleration Program

Free ABM Acceleration Program

Full month of Tinct, every feature unlocked, 200 AI-personalized landing page variations

Full month of Tinct, every feature unlocked, 200 AI-personalized landing page variations

2/30 spots left

Privacy Policy

Tinct SAS · Last updated June 2026

This Privacy Policy explains how Tinct SAS (“Tinct”, “we”, “us”) processes personal data in connection with the Tinct platform, a B2B account-based marketing (ABM) landing-page personalisation service. It is written to comply with Regulation (EU) 2016/679 (the “GDPR”) and the French Data Protection Act (Loi Informatique et Libertés).

1. Who we are

Data controller

Tinct SAS (société par actions simplifiée)

Registered office

5 Rue Pleyel, Bureau 3, 93200 Saint-Denis, France

Registration

SIREN 101 730 018 — RCS Bobigny

Data protection contact

contact@tinct.ai

Data Protection Officer

Not formally appointed — our processing does not meet the Article 37 GDPR criteria for a mandatory DPO. Data protection questions are handled at the address above.

2. Our two roles

Depending on the data, Tinct acts in one of two capacities under the GDPR:

  • As a data controller — for personal data relating to our own platform users (account, organisation, billing, security and support data). This Policy governs that processing.

  • As a data processor — for the website-visitor analytics data we process on behalf of our customers when our technology runs on their websites. In that case the customer is the controller, and the processing is governed by our Data Processing Agreement. If you are a visitor to a website using Tinct and wish to exercise your rights, please contact the operator of that website; we will assist them as required under Article 28 GDPR.

3. What data we collect, why, and our legal basis

As a controller, we process the following categories of personal data:

Purpose

Data

Legal basis (GDPR)

Account creation, authentication & profile

Email, password (bcrypt hash), first/last name, profile image (optional), phone (optional), Google / LinkedIn / Microsoft OAuth IDs (optional), language & notification preferences

Art. 6(1)(b) — performance of a contract

Organisation & team management

Email, name, role (Admin/Editor/Viewer), invitation status, inviter identity, join date

Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interest (enabling teams)

Billing & invoicing

Billing name, email, address, phone (optional), subscription status. Card data is handled directly by Stripe and never stored by Tinct.

Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation (accounting)

Security, fraud prevention & audit

IP address, last-activity date, access/security logs

Art. 6(1)(f) — legitimate interest (securing the service)

AI campaign-configuration assistant

Free-text chat messages (which may incidentally contain personal references)

Art. 6(1)(b) — contract

Service communications

Email address (for transactional emails: verification, password reset, invitations, notifications)

Art. 6(1)(b) — contract

Product & AI improvement

Aggregated, anonymised usage and Client Data

Art. 6(1)(f) - legitimate interest; opt-out available per Terms Art. 4.2.

We do not process special categories of personal data (Article 9 GDPR), and we do not carry out automated decision-making that produces legal or similarly significant effects on you (Article 22 GDPR).

4. Website-visitor analytics (where we act as processor)

When our technology runs on a customer’s website, it identifies the visiting company via reverse IP lookup in order to serve personalised content; it does not identify, track or profile individual natural persons. Our snippet can run in two configurations:

  • Basic — a session identifier stored only for the duration of the visit (cleared when the browser tab closes). No persistent identifier; no consent required where the CNIL audience-measurement exemption conditions are met.

  • Advanced — a persistent cookie that recognises returning visitors. This requires the visitor’s prior consent under the ePrivacy Directive before the cookie is set.

The customer operating the website is the data controller for this processing and is responsible for the lawful basis, consent and transparency toward its visitors. The Tinct cookie is set on the customer's own website (not on tinct.ai) and is disclosed in that website's cookie notice; this processing is governed by our Data Processing Agreement.

5. Who we share your data with

We share personal data only with vetted service providers (sub-processors) who process it on our behalf under written agreements with GDPR-compliant safeguards, and with authorities where required by law. We never sell your personal data.

The complete, up-to-date list of our sub-processors — including their role, location and transfer mechanism — is published at tinct.ai/static/sub-processors.

6. International data transfers

Our primary infrastructure is hosted within the European Union (AWS, eu-west-1, Ireland). Where a sub-processor processes data outside the European Economic Area, we rely on appropriate safeguards under Chapter V GDPR — primarily the European Commission’s Standard Contractual Clauses (SCCs), and, for several US providers (such as Stripe, Google and Microsoft), additional certification under the EU–US Data Privacy Framework.

7. How long we keep your data

Data

Retention

Account & profile data

Duration of the account + 30 days (scheduled deletion)

Organisation membership data

Duration of membership + 30 days

Billing & invoicing records

Duration of the contract + 10 years (French Commercial Code, Art. L123-22)

Security / access logs (CloudWatch)

90 days

AI conversation history

Duration of the account

Verification codes / OTP

Until used or expired (short-lived)

Persistent analytics cookie (Advanced mode)

13 months; associated data max 25 months (CNIL guidance)

8. Your rights

Under the GDPR you have the right to: access your data; rectify inaccurate data; erase your data; restrict processing; data portability (in a structured, machine-readable format); object to processing based on legitimate interest; and, where processing is based on consent, withdraw that consent at any time without affecting prior processing.

Most of these can be exercised directly in your account settings. Otherwise, contact contact@tinct.ai; we respond within one month. You also have the right to lodge a complaint with your local supervisory authority — in France, the CNIL (cnil.fr).

9. Security

We implement technical and organisational measures appropriate to the risk, in accordance with Article 32 GDPR, including: encryption at rest (AES-256) and in transit (TLS 1.2+); databases isolated in private networks with no public access; role-based access control and secrets management; multi-factor and OTP verification for sensitive operations; rate limiting and bot protection; continuous monitoring and logging; and a documented data-breach response procedure (notification to the CNIL within 72 hours where required). Tinct is also pursuing ISO 27001 certification.

10. Cookies

Our website and platform use cookies and similar technologies. For details and to manage your preferences, see our Cookie Policy.

11. Changes to this policy

We may update this Policy from time to time. The current version is always published on this page with its “last updated” date; we will notify users of material changes by email where appropriate.

12. Contact

Questions about your data or this Policy? Email contact@tinct.ai or write to Tinct SAS, 5 Rue Pleyel, Bureau 3, 93200 Saint-Denis, France.